Spoofed Website Cause

teancum144 · October 2012

An accountant has logged onto the company's external banking website. An administrator using a TCP/IP monitoring tool discovers that the accountant was actually using a spoofed banking website. Which of the following could have caused this attack?

A. Altered hosts file
B. Blue snarfing
C. Network mappers
D. DNS poisoning
E. Packet sniffing

The answer is "A", but why couldn't it be "D"?

ptilsen · October 2012

It absolutely could be, and a DNS poisoning attack is probably more likely than a hosts file attack (an attacker with host file access would almost certainly be able to implement keylogging, and as such not need to spoof web pages).

Practice tests are rarely perfect, and even the real tests can get it wrong. I used Preplogic for Security+ back in 2010, and in the course of studying submitted no fewer than ten corrections for their relatively small selection of questions.

teancum144 · October 2012

Makes sense, thanks for the feedback.

Bill3rdshift · October 2012

teancum144 wrote: »

An accountant has logged onto the company's external banking website. An administrator using a TCP/IP monitoring tool discovers that the accountant was actually using a spoofed banking website. Which of the following could have caused this attack?

A. Altered hosts file
B. Blue snarfing
C. Network mappers
D. DNS poisoning
E. Packet sniffing

The answer is "A", but why couldn't it be "D"?

The explanation involves the way Windows resolves FQDN's. That is, Windows will query the local machines "Host File" before querying a remote DNS server. The Host File is located in C:\windows\System32\drivers\etc\hosts. If this file is altered in a malicious manner then a user could be directed to a spoofed webpage.

You can try it out. Open the hosts file in notepad and create an entry w/ domain and IP. For instance google.com to IP 174.133.7.131 save the hosts file. Now going to google.com will take you to techexams.net

I do agree this question is ambiguous and vague. Where did you get this question from? This question should ask for the TWO methods this scenario could happen. Anyway GoodLuck

paul78 · October 2012

This is a stretch and I'm really not familiar with how much technical detail Security+ expects but...

The reason why I would expect A to be a more correct answer is because the question provides a clue that the Administrator detected the issue with a TCP/IP packet sniffer. The comment provided by @Bill3rdShift sets the foundational reason. Theoretically, if a host file was altered, no DNS request would have been made or the DNS query would have returned a correct IP address. But an altered host file would have caused HTTP traffic to be directed at a different destination IP. If DNS poisoning was used - TCP/IP monitoring (which I presume to mean packet sniffing analysis) would not have been able to detect DNS poisoning as the poison-ed DNS entry would match the expected HTTP traffic to the IP destination.

Just a wild guess

ptilsen · October 2012

DNS cache poisoning could still be used. Unless the network administrator is using the same DNS server as the user, which is not a fair assumption nor is it stated in the question, there is no reason the administrator couldn't have detected that the user was going to a spoofed web site. Additionally, the administrator could be able to discern it was a spoofed web site after visiting the IP address and noticing other factors (lack of SSL, invalid SSL certificate, etc.), which is not contrary to the premise of the question.

Which is not to say I disagree with you -- the question writer might have intended your interpretation, but I disagree with that premise if it was the writer's intent. There is no implied reason this must or should be an altered hosts file rather than DNS cache poisoning.

paul78 · October 2012

One of the fun things about ambiguous questions is how we can pick apart the question writer's words. Like the choice to use the term "TCP/IP monitoring tool" which I took to mean a traffic flow analyzer of some sort

I don't disagree with you either - but the question writer never said the Administrator was using any DNS server nor did anything other than to use a "TCP/IP monitoring tool".

But you are correct - taking your scenario - a spoofed web site is very likely return HTTP traffic where a traffic monitor would have detected SSL CN name mismatches or certificates which are self-signed with untrusted CA's. So 'D' is correct.

Hmm... Maybe we should put it to a vote

teancum144 · October 2012

Really insightful feedback from all. Much appreciated.

Bill3rdshift, this question came from a Security+ exam prep webinar offered by Brookline college through BrightTALK: brookline college | BrightTALK

Unfortunately, the host is sometimes not very informative with his explanations (probably in cases where the question is difficult or poorly constructed).

teancum144 · October 2012

paul78 wrote: »

If DNS poisoning was used - TCP/IP monitoring (which I presume to mean packet sniffing analysis) would not have been able to detect DNS poisoning as the poison-ed DNS entry would match the expected HTTP traffic to the IP destination.

I'm not sure what you mean by "would match the expected HTTP traffic to the IP destination"? Forgive my ignorance. Please elaborate how the sniffed data would allow the administrator make this conclusion.

teancum144 · October 2012

I'm still struggling to understand why a DNS poisoning attack be more difficult to detect using paul78's assumptions, but easier to detect using ptilson's assumptions.

Also, why would it make a difference if the administrator were using the same DNS server?

ptilsen · October 2012

Paul's point is that because DNS was poisoned, the user would be going to the IP address the DNS returned, and there would be no apparent malicious activity from an IP monitoring tool alone. It would show an HTTP request for a URL that appears to be valid to the administrator.

My counter is that if the administrator were not using the same DNS server, he would see the user going to an IP address that doesn't match the domain name, since the administrator's DNS server cache was not poisoned.

paul78 · October 2012

Righto... Basically what ptilsen said... Also with the scenario that ptilsen mentioned, it's not really even necessary for DNS to be involved. The question said that the accountant was using an external bank site, so its a valid assumption to presume is that the web site traffic will be using HTTPS because all banking sites use HTTPS for server-side authentication and encryption.

If the site was spoofed, two things will happen:

The IP address of the web site destination will be different than the intended original and;
The SSL certificate of the spoofed site will either be:
1. signed by an untrusted certificate authority or:
2. the SSL certificates common name (CN) will not match the intended DNS record.

The difference in my interpretation is because I surmised that if the host file was compromised then the packet sniffer would have seen that the Accountant's computer did not make a DNS query prior to making a connection to the spoofed website.

But as I think about it - my analysis isn't correct because the question doesn't state that the Accountant was using a Windows PC and the computer could have previously cached the DNS entry, hence not requiring a DNS query over the network.

What would have been more plausible is that a packet sniffer would have detected SSL certificate differences. The SSL issues would have occurred regardless of a compromised host-file or a DNS spoof.

A caveat - I'm actually not familiar with Comptia or Security+ so I don't know much about the level of expertise that the questions are expecting. But with other certs like ISC2's CISSP, you are expected never to add assumptions other than the evidence that is given and you have to select the "best" answer. So in this case, I re-phrased the question. Restated - I asked myself - "what type of attack can be always detect a spoofed HTTPS web site using only a packet sniffer". In this case, the best correct answer is probably D.

The problem with my analysis is that the question author used the phrase "could have caused this attack"

which makes the question a bit more open because it allows for "could be" scenarios. So A could be right too.

Basically, imho - it's a badly worded question

But I like you line of thinking and if you are digging into these questions, then it sounds like you are getting the various intricacies of the technology, I have no doubt you will do great on the exam.

ptilsen · October 2012

I will throw this out there: I did take security+, and I don't remember it having anything that would require this level of analysis. I agree with Paul; it's a badly worded question.

teancum144 · October 2012

I actually enjoy the analysis and it improves my understanding (which is more important to me than passing the test - although passing is still important).

I cannot emphasize enough how grateful I am -- I'm learning so much from you guys.

Bill3rdshift · May 2013

teancum144 wrote: »

I actually enjoy the analysis and it improves my understanding (which is more important to me than passing the test - although passing is still important).

I cannot emphasize enough how grateful I am -- I'm learning so much from you guys.

+1 Now if this topic/issue arises in the future you have a strong understanding!

Spoofed Website Cause

Comments